WindowsSecurity.com Monthly Newsletter

WindowSecurity.com Newsletter of May 2011 Sponsored by: Entrust

Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: gchetcuti@windowsecurity.com

Affordable Strong Authentication

Entrust IdentityGuard offers the widest range of authentication capabilities on the market today. Affordable enough to deploy across your entire enterprise, flexible enough to deploy based on your unique requirements and associated risk.

Try our cost calculator to see how much you could save

1. Protecting Telnet Traffic with IPSec

Most of the time we tend to focus our attention on securing the traffic that leaves and enters our perimeter devices while we close our eyes to internal traffic. We all know that it is highly recommended to take all measures possible to secure your data on the web, however, with the increase of internal threats security executives and administrators have to take into account the internal resources that host critical and sensitive data. In environments that consist of Windows Servers, protecting internal traffic requires no additional costs apart from a normal configuration exercise. Windows 2008 Servers include enhanced security features that will help you protect your internal assets. This can be achieved with Internet Protocol Security (IPSec) which protects networks by securing IP packets through encryption and through the enforcement of trusted communication. Once you decide which destination traffic you want to secure you can then enforce connection security rules through a Group Policy object.

Let's take a practical example where we will be encrypting Telnet traffic between two hosts within our internal AD (Active Directory) environment. For example, let's assume that we want to create an encrypted connection to a Telnet host that can only be accessed by an administrator from his/her workstation. Basically, a host can be any server sharing sensitive data that needs protection from unauthorized internal users. IPSec helps you protect data between two computers on an IP network through Data Authentication and/or Data Encryption.

Prerequisites - Installing and Configuring Telnet services

If you do not have a Telnet server in place and would like to complete this hands-on exercise then follow these steps on your test Telnet Windows 2008 server:

  1. From Server Manager, right click Features and select Add Features.
  2. From the Add Features Wizard select both the Telnet Client and Telnet Server and follow the default steps.
  3. Open the services console, change Telnet's Startup type to Automatic and start the service.
  4. In the Start search text box type lusrmgr.msc to open the Local Users and Groups, and select the Groups folder.
  5. Double click TelnetClients in the details pane and add the Domain Admins group as members.
  6. Enable Telnet Client from Windows Features (Control Panel\All Control Panel Items\Programs and Features) on a Windows 7 workstation to be the administrator test client or machine.

As you can see, installing a Telnet server was quite simple but let's move on to setting up IPSec.

Create an IPSec Policy

First, from your AD domain controller you need to create a GPO and an IPSec Policy:

  1. From the Group Policy Management console, expand the Domains node and select your domain name (let's call ours env1.testlab)
  2. Right click env1.testlab and select Create a GPO in this domain, and Link it here... Type a name for the new object such as, IPSec GPO and click OK.
  3. Right click the newly created GPO, that is IPSec GPO and select Edit.
  4. From the Group Policy Management Editor console, go to Computer Configuration\Policies\Windows Settings\Security Settings and right click IP Security Policies on Active Directory.
  5. Select Create IP Security Policy and click Next in the IP Security Policy Wizard.
  6. Type in a name and description such as, Our Test IPSec Policy and follow the default steps till the end.
  7. Finally, Our Test IPSec Policy Properties dialog box should appear as shown below.

Create an IPSec Policy Rule and Filter

Next, you need to configure the newly created IPSec Policy with rules that force Telnet traffic to be encrypted as follows:

  1. From Our Test IPSec Policy Properties dialog box (above), click the Add… button to start the Security Rule Wizard.
  2. On the first two pages you can leave the default Tunnel Endpoint setting and select the Local area network (LAN) option in the Network Type.
  3. On the IP Filter List page, click the Add... button, type a name such as, Telnet IP Filter List in the name text box and click the Add... button.
  4. In the IP Filter Wizard, type in a description while leave the default of Any IP Address in the IP Traffic Source and IP Traffic Destination pages.
  5. On the IP Protocol Type page, select TCP from the drop-down list and in the next window (IP Protocol Port) type 23 (telnet's port number) in the To this port : text box and leaving all other settings with the default values. Complete the IP Filter Wizard.
  6. The IP Filter List of the Security Rule Wizard now appears as shown below: 

  1. Select the Telnet IP Filter List radio button and click Next.
  2. On the Filter Action page click the Add… button to start the Filter Action Wizard. Here we will configure a filter action to apply to Telnet traffic. Type a name such as, Encryption in the Name text box and a description if you want in the Description text box.
  3. Leave the default settings, that is, Negotiate security and Do not allow unsecure communication, in the Filter Action General Options and Communication with computers that do not support IPSec pages.
  4. On the IP Traffic Security page you can use the custom filter to enhance security, however, the Integrity and encryption option will be sufficient for our test environment. Note that encryption without authentication is no longer supported! Complete the wizard.

  1. On the Filter Action page, select the Encryption radio button and click Next as shown above.
  2. On the Authentication Method page, leave the default Active Directory default (Kerberos V5 protocol) setting and complete the Security Rule Wizard.
  3. Close the Properties window and assign the policy by right clicking Our Test IPSec Policy and selecting Assign from the Group Policy Management Editor console.

Testing the environment

To make sure that the security policy you just created takes immediate effect, you need to run the gpupdate command from a command prompt on both test machines (i.e. on your test telnet server and workstation).

From the test workstation log in with a user account that is a member of the domain admin group and open a command prompt:

  1. At the command prompt, type telnet telnet_server_name (to quit a telnet session, type exit)
  2. Go to Windows Firewall with Advanced Security and expand the Monitoring/Security Associations node.
  3. Select the Main Mode folder and you should be able to see a security association from your workstation to the telnet server showing both IP addresses of client and server, Authentication method and the Encryption algorithm used.
  4. Select the Quick Mode folder and you should, after refreshing the telnet session, be able to see the same information as above including the protocol and port used with this association. Hence, you can confirm that IPSec is functioning successfully.

  1. Additionally, you can log off and log on with a normal user account and try to connect to the telnet server or run Microsoft Network Monitor or Wireshark to see if you can capture any unencrypted data!

Conclusion

IPSec allows you to protect network traffic by providing data authentication and encryption. The protocols behind IPSec are:

  • Authentication Header (AH) which provides data integrity, data origin authentication and anti-replay protection for the entire IP packet.
  • Encapsulating Security Payload (ESP) which provides data encryption, data origin authentication, data integrity and anti-replay protection for the ESP payload.

Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you're more than welcome to e-mail me at gchetcuti@windowsecurity.com.

See you next month! - George

2. WindowSecurity.com Articles of Interest 

Affordable Strong Authentication

Entrust IdentityGuard offers the widest range of authentication capabilities on the market today. Affordable enough to deploy across your entire enterprise, flexible enough to deploy based on your unique requirements and associated risk.

Try our cost calculator to see how much you could save

3. Tip of the Month

Check out this Windows 7 tool that is more flexible and powerful than the Telnet Client. It is called PortQry. This tool has been around since Windows 2000 and now version 2 has more features. You can download PortqryV2.exe from Microsoft's download center as explained in this article: http://www.windows7library.com/blog/problems/testing-service-connectivity-with-portqry/

4. Latest Security Exploits and Concerns

Affordable Strong Authentication

Entrust IdentityGuard offers the widest range of authentication capabilities on the market today. Affordable enough to deploy across your entire enterprise, flexible enough to deploy based on your unique requirements and associated risk.

Try our cost calculator to see how much you could save

5. Ask George a question

QUESTION:

Hi George,

What are Security Associations?

Thanks,
Pete

ANSWER:

Hi Pete,

With the help of IPSec you can build a secure channel between two or more hosts. This can be achieved either through IPSec Policies as we have seen in this newsletter or through IPSec connection security rules. So, the data transmitted and received is secured in what is known as a Security Association (SA). Security for an SA is provided by the AH and ESP IPSec protocols, however, to establish SAs dynamically between IPSec peers, the IKE (Internet Key Exchange) protocol is used.

Affordable Strong Authentication

Entrust IdentityGuard offers the widest range of authentication capabilities on the market today. Affordable enough to deploy across your entire enterprise, flexible enough to deploy based on your unique requirements and associated risk.

Try our cost calculator to see how much you could save